Wilkens: An ounce of preparation: assessments, tabletop exercises, and penetration tests

“An ounce of preparation is worth a pound of cure.” ~Benjamin Franklin, 1736

This statement is just as relevant to cybersecurity in 2025 as it was to fire prevention in Philadelphia in 1736. Cyberattacks occur every single day across the transportation sector. Experiencing a significant cybersecurity incident or a full-blown breach is not a question of if, but when. How prepared will you be?

An organization that is well-prepared and has both the training and the technology in place to minimize the damage of an incident will recover faster, suffer less financial impact, retain customers, retain reputation, and be more confident as they work through a cybersecurity incident. This can make the difference between experiencing a serious but manageable disruption or suffering a catastrophic impact on the business.

I wrote previously about developing an overall cybersecurity strategy, building a risk-based security program that aligns with your business strategy, and documenting incident response plans. These are the foundations on which to build a strong cybersecurity program and start working toward cyber-resilience for the organization.

Once technical controls are in place and IR plans are documented, the work of testing and verifying the defenses begins. We are also ready to start training our teams to use these response plans, to refine them, and to rehearse them to the point where an organized, efficient response is a function of muscle memory and not just an optimistic goal.

Vulnerability assessments

We started building our risk register with a risk assessment to discover relevant risks in all areas of the business. Similarly, we start testing our security program through vulnerability assessments.

These can be automated with a range of open-source and commercial tools. Vulnerability assessments can be run internally or conducted by trusted third-party partners. The goal of a vulnerability assessment is to discover the known vulnerabilities that exist in the software and systems deployed across the organization.

It is important to highlight that vulnerability assessments identify known vulnerabilities. This is the “low-hanging fruit” that can be addressed through proper patch management and software/system selection that focuses on lowering available attack surface. Identifying and addressing known vulnerabilities that pose significant or unacceptable risk to the business is an important and worthwhile step, but it does not truly identify the total risk that the organization faces from potential cyberattacks.

Penetration testing

To fully assess the strength of both the technical controls and the operational controls that the organization has put in place, penetration testing is required. Where the vulnerability assessment can be conducted either by internal or external teams, a penetration test must be conducted by an external team.

The team conducting the penetration test will simulate an actual cyberattack and can leverage physical attempts to access facilities, social engineering, and technical exploits to attempt to gain access to internal systems and networks. This kind of simulation can uncover gaps in the controls that are deployed, or the way in which they are deployed, that a vulnerability assessment simply cannot.

A vulnerability assessment will identify all the possible vulnerabilities that could theoretically be used by a threat actor, whereas the penetration test will give you a very clear picture of which combinations of technical vulnerabilities, training lapses, and control gaps can be used by a determined adversary and what the resulting damage would be. Put differently, a vulnerability assessment can score the locks on your doors and the break strength of your windows, but a penetration test will show you which tree the burglar will use to reach which window, what will catch their eye inside your house, and how they’ll get those valuables back out of your house without getting caught.

See also: Wilkens: Open source tech shouldn't open doors to cyberattacks

A word of caution before you start your first penetration test engagement: It is critical that all parties involved (both the penetration testing team and the business leadership) clearly identify and contractually agree to the rules of engagement for the duration of the test. A business cannot afford to have a penetration test knock out a critical production system during peak periods.

Once the results of the penetration test are in, work with your internal security team or managed security service provider to prioritize and mitigate the vulnerabilities that were identified. These kinds of tests should be conducted periodically (annually is a common interval), and after any major technical system changes or business process changes (mergers, acquisitions, etc.).

Tabletop exercises

The other component of readiness testing has much less to do with the technical controls or even the systems involved. Tabletop exercises instead focus on how well your teams understand their roles during an incident and identify gaps in your response plans that can be refined prior to a real-world incident, rather than making themselves known during a full-blown cyberattack.

Much like risk assessments, tabletop exercises must include all areas of the business, not just technical teams. Leadership plays a vital role in response, not unlike general counsel, communications teams, customer service advocates, and most others who interact externally from the business. These groups must also play a vital role in tabletop exercises and be included in readiness training. Scenarios that are used for tabletops should be designed based on your business’ prioritized risk register and focus on real-world, high probability incidents.

Ransomware attacks are extremely common and can be crippling for any operation; these types of attacks make a great starting point for tabletop exercises. However, cyberattacks are not the only scenarios that should be considered. If your organization operates in a flood zone, consider how you might manage a physical event such as a catastrophic flood that disrupts access to your facilities or destroys key operational assets. If you haul high-value freight that is often a target of theft, you can create a related tabletop scenario to rehearse your incident response.

A cybersecurity culture

Cybersecurity isn’t just about tools and tactics; it’s about building a culture of readiness. It’s about knowing that when (not if) a cyber incident happens, your organization won’t be starting from scratch. You’ll already have the playbook in hand, the players lined up, and the practice behind you.

By establishing a strategy, aligning security with business risk, implementing technical controls, and testing both your tools and your team, you will be well on your way to making cyber resilience a core competency in your organization. This translates to faster recovery, less disruption, and stronger trust with your customers and partners.

The next step is yours. Start small, start smart—but start. The value of preparation is not theoretical. It's measurable, it’s operational, and it's what separates organizations that endure from those that don’t. Make time to rehearse. Make the space to improve. Above all, make cybersecurity readiness a business expectation, not just a compliance checkbox.